Yeah, the broad campaign makes it extremely noticeable. There are active campaigns right now that don't take this approach. Singular packages with novel malicious payloads.
> As a person who regularly runs pip install on my main desktop, where I am worried about arbitrary code execution that happens when you pip install.
We've open-sourced a sandbox and wrapped the Phylum CLI with it so you can do something like `phylum pip install <pkgName>,` it'll check our API first for known malware, then if it appears clean, will perform the installation in the sandbox. You can specify what the sandbox is allowed to touch in a TOML file.
> As a person who regularly runs pip install on my main desktop, where I am worried about arbitrary code execution that happens when you pip install.
We've open-sourced a sandbox and wrapped the Phylum CLI with it so you can do something like `phylum pip install <pkgName>,` it'll check our API first for known malware, then if it appears clean, will perform the installation in the sandbox. You can specify what the sandbox is allowed to touch in a TOML file.
See: https://github.com/phylum-dev/birdcage